The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council, and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) from 1995 which was enacted into British law via the 1998 Data Protection Act
"personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
To book an impact assessment about how GDPR will affect your business or for anything GDPR-related, contact us at firstname.lastname@example.org
Also make sure you check our 12 steps to GDPR Compliance Guide.
In order for ProCheckUp to conduct a suitably detailed assessment on a company, it is essential to understand the Data environment and processes to be assessed. This understanding is achieved through a scoping exercise conducted between the client (and any relevant third parties involved), the technical consultant who will be conducting the assessment as well as the dedicated Account Manager. One of the most crucial elements of this process is understanding the overall outcome the client wishes to achieve. With this in mind, the entire engagement can be tailored to reach the objectives of the client.
ProCheckUp Engagement Lifecycle
ProCheckUp utilises a standard engagement model for all engagements using a robust, holistic approach as defined below: -
Offering - Activities that take place before the execution of a consultancy assignment:
- Pre-sales and identification of client needs
- Creation of an agreement covering: - Context - Services and deliverables - Approach and work plan - Roles and responsibilities.
Execution - Delivery of the services agreed:
- Refining and implementing the work plan;
- Assignment of staff, management, and mentoring;
- Approval and acceptance.
Closure - At the end of a consultancy assignment:
- Final client evaluation;
- Conclusion of obligations;
- Any subsequent improvements to the service.
The diagram below illustrates the full methodology of the GDPR Engagement with ProCheckUp.
Phase one. Pre-Compliance Assessment
The pre-compliance assessment involves understanding the size of the compliance risk to your business, to determine where you stand, and create a compliance programme tailored to your specific requirements. This involves gathering data to identify gaps within your current security posture, GDPR and any other security standards where applicable.
The pre-compliance assessment will typically include:
- Conducting an on-site review of IT infrastructure, network design and architecture, application architecture, policies, procedures and processes;
- Identifying your sensitive data environment (stores locations) and determining your data flows;
- What personal data the company possesses;
- Where it is transferred to (third parties) and backup/storage;
- How it is secured/marked through the lifecycle;
- Performing vulnerability assessment scans that adhere to industry good practice;
- A gap analysis between the pre-assessment of the policies, procedures and processes as well as scan results against both industry best practice and the requirements of the EU GDPR;
- A risk analysis and recommendations report;
- Scoping and prioritising remediation activities.
Phase two - Remediation
Based upon the results of the pre-compliance assessment, the remediation programme provides a controlled, focused, and effective framework towards achieving compliance. Our remediation programme will help your organisation develop, implement and document the evidence required to prove compliance in accordance with the EUGDPR. We will look to form close working relationships with your organisation and any third-party vendors that are involved in delivering hardware, software and services.
Phase three – Audit and report on compliance
This phase will involve a formal audit process and include the production of the Report on Compliance to the EU GDPR.
Phase four - Maintaining Compliance
Achieving compliance isn’t just a one-off exercise but a continued journey.
It is vital that with any process or technology decisions are taken with compliance in mind. ProCheckUp can assist by managing the overall process, providing programme management from the initial pre-compliance assessment through to ongoing compliance.